---
layout: docs
page_title: Augment entropy with external sampling
description: >-
  Sample entropy from external cryptographic modules to augment Vault defaults.
---

# Augment entropy with external sampling

@include 'alerts/enterprise-only.mdx'

<Warning>
  Entropy augmentation <b>is not</b> available with "FIPS 140-2 Inside" variants of
  Vault.
</Warning>

Vault Enterprise features a mechanism to sample entropy (or randomness for
cryptographic operations) from external cryptographic modules via the [seals](/vault/docs/configuration/seal)
interface. While the system entropy used by Vault is more than capable of
operating in most threat models, there are some situations where additional
entropy from hardware-based random number generators is desirable.

With Entropy Augmentation enabled, the following keys and tokens leverage the
configured external entropy source.

| Operation                | Description                                                                          |
| ------------------------ | ------------------------------------------------------------------------------------ |
| Root Key               | AES key that is encrypted by the seal mechanism. This encrypts the key ring.         |
| Key Ring Encryption Keys | The keys embedded in Vault's keyring which encrypt all of Vault's storage.           |
| Recovery Key             | With auto-unseal, use the recovery keys to regenerate root token, key rotation, etc. |
| TLS Private Keys         | For HA leader, Raft and Enterprise Replications.                                     |
| MFA TOTP Keys            | The keys used for TOTP in Vault Enterprise MFA                                       |
| JWT Signing Keys         | The keys used to sign wrapping token JWTs.                                           |
| Root Tokens              | Superuser tokens granting access to all operations in Vault.                         |
| DR Operation Tokens      | Token that allows certain actions to be performed on a DR secondary.                 |

The [transit secrets engine](/vault/docs/secrets/transit) manages a number of 
different key types and leverages the
[`keysutil`](https://godoc.org/github.com/hashicorp/vault/sdk/helper/keysutil)
package to generate keys. It will use the external entropy source for key
generation.

<Warning>

When you enable the external entropy source, Vault requires connectivity to the
HSM. If the HSM becomes unreachable for any reason, the transit secrets engine
can't generate new keys or rotate existing keys.

</Warning>

To use this feature, you must have an active or trial license for Vault
Enterprise. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).

# Critical security parameters (CSPs)

Entropy augmentation allows Vault Enterprise to supplement its system entropy with
entropy from an external cryptography module. Designed to operate in environments
where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
is required or when augmented entropy from external sources such as hardware true
random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
are desirable, augmented entropy replaces system entropy when performing random
number operations on critical security parameters (CSPs).

These CSPs have been selected from our previous work in [evaluating Vault for conformance with
FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
and include (but not limited to) the following:

- Vault's root key
- Keyring encryption keys
- Auto Unseal recovery keys
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
- Enterprise MFA TOTP token keys
- JWT token wrapping keys
- Root tokens
- DR operation tokens
- [Transit](/vault/docs/secrets/transit) backend key generation and `/random` endpoint (`/random` only on Vault 1.11+)
- [PKI](/vault/docs/secrets/pki) issuer key generation, but not for leaf certificate private keys
- [`/sys/tools/random`](/vault/api-docs/system/tools#generate-random-bytes) endpoint (Vault 1.11+)
- [SSH](/vault/docs/secrets/ssh) CA key generation, but not for key pair generation
- [KMIP](/vault/docs/secrets/kmip) uses EA for its TLS CA, server, and client
  certificates.
- TOTP two factor keys.


## Enabling/Disabling

Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
[configuration file][configuration] must include a properly configured [entropy and seal stanza](/vault/docs/configuration/entropy-augmentation)
for a supported seal type.

[configuration]: /vault/docs/configuration
